Even as Britain’s business community looks to the government for a workable Brexit plan, the shadow of much tougher data privacy regulation is falling right across UK Plc’s economy.
That’s because the EU’s General Data Protection Regulation (GDPR) is dragging citizens’ right to data privacy back to the heart of the continent’s digital economy from May 2018. And this seismic shift will apply however quickly, and most likely on whatever terms, once Britain leaves the EU.
Concern has grown in Europe for years as personal details being exposed in a connected world. But the GDPR goes way beyond previous privacy thinking, enshrining principles of ‘accountability’, and citizens’ ‘right to be forgotten’ in law – transforming day-to-day business and social interactions with digital and cloud footprints.
The directive will pervade commerce. When trading partners agree contracts post-2018, they must decide if a workable contract involves consent; from a citizen or data subject, to the handling of personal data that isn’t needed to perform the actual contract. This ruling could upset sectors like eCommerce, or manufacturing with extended supply chains, that draw on multiple partners and data sets.
There’s no escaping the GDPR’s shadow, even with Brexit, because it:
- Applies to those supplying goods and services to the EU from inside the union or outside;
- Goes into law without any enabling legislation;
- It takes effect before Britain can make its earliest technical Brexit, we will need different compliance regimes before and after leaving Europe.
Government ministers, the technology sector and legal commentators agree that complying with the directive will change the way that UK organisations, down to comparatively smaller businesses, operate. Post-Brexit, Britain will still need a close imitation of the GDPR to trade with European partners.
And if that hasn’t focused C-level minds, penalties for GDPR non-compliance dwarf anything seen before: offender organisations could be fined up to four per cent of turnover.
But the GDPR’s biggest impact will be on day-to-day work, since UK organisations will become directly liable for managing all the unstructured data (customer details, images and social media interactions) on their networks and in the cloud – a challenge for any business.
Legal and technology experts rightly say there is no silver compliance bullet. Boards, we are told, should take a strategic approach; driving compliance, examining privacy standards and getting their employees on board.
But this thinking breaks down in the face of exploding cloud-based data processing levels. IT teams have little or no visibility of their data assets and their final uses, a situation only exacerbated as new cloud services come on-stream or organisations authorise bring-your-own-device (BYOD) programmes simply to stay competitive.
GDPR planning begins with visibility: as employees use cloud apps from Evernote to Netsuite, IT and security professionals are asking: where is the data – and who owns it after it leaves our offices? When a company’s customers use, for example, OneDrive, data is accessed by customers from any device anywhere, so the corporate security team must build corporate-level checks and controls to stop easy data leakage. Well-known UK companies are beginning to deploy Cloud Access Security Brokers (CASBs) solutions for sanctioning and controlling IT applications; only employees on a patched corporate device can access the application.
At present, no team of IT suppliers can provide a complete GDPR compliance solution but suppliers such as CASBs are starting to put organisations on a practical path towards it. This is because these suppliers can integrate corporate network and application monitoring systems – delivering that essential visibility of data.
These fast-evolving capabilities enable us to set out five broad, practical measures for IT and security professionals to anticipate GDPR compliance, as well as help streamline operations, after 2018:
- Boards must oversee systems that meet data subjects’ future requests under GDPR, such as the right to be forgotten, or requesting copies of relevant (unstructured) personal data;
- Organisations must start to design data security into products or services – by default;
- UK companies must plan data security and auditing processes and ways to notify stakeholders of a data breach – as well as making suppliers document their own information security processes;
- Companies over 250 employees, or whose operations are based on data handling, will need a data protection officer to scrutinise their IT processes, data security and privacy systems;
- Boards must operate Data Protection Assessments and train up their IT and security personnel on compliance.
It’s a lengthy list, but cloud services and related hardware technologies will transform organisations’ processing and network monitoring power – with these capabilities increasingly available to CIOs and security teams as flexible, managed services.
There is no silver bullet. But senior IT executives are already scoping the foundations of GDPR compliance. And others will appreciate the irony that UK companies will achieve far better control and visibility of their fast-evolving cloud data processing operations through such focused innovations, even as the directive’s long shadow finally falls over us.
Marc Sollars is CTO of Teneo, a specialist integrator of next generation technology, offering global organisations optimisation solutions for networks, security, storage and applications. The company designs its solutions by understanding through consultancy and delivering through managed services. Marc is on Twitter at: @MarcatTeneo